macOS and iOS management with a twist of Jamf (less travel, a lot more tech)

Integrate Azure LDAP in Jamf Pro

With the release of Jamf Connect w/ Azure integration, Jamf provides a tool (amongst other functionality) to create local user accounts on your Macs. This based on the identity of the user in Azure.

I noticed this latest Jamf Connect release triggers additional interest in integrating Azure as an LDAP server. Azure LDAP integration was on my blog to-do list for some time now, but other topics jumped ahead in my priority list. So to finally clear this from my to-do list, hereby a quick post on how to add Azure as an LDAP service in Jamf Pro.

I’ll try to keep this one as short as possible. Managing Azure AD and enabling the required services (LDAPs) is a bit beyond my scope here. Allow me to assume that you already configured it for other integrations outside Jamf Pro.

Nevertheless, let’s run through the different steps on a high level overview, and try to highlight some important notes. After this we’ll have a look at the default mapping settings in Jamf Pro.

Let’s not try to re-invent the wheel here. Microsoft has a very extensive KB on how to enable LDAPs in Azure. I’ll run through it on a high level, but I’d really recommend you to follow it to the letter in case you still have to set it up.

Before you can enable LDAPs you’ll need to have the Domain Services configured. Use this Microsoft KB to do so. Going through this would make this post way too long, and as said, the Microsoft KB is very detailed and straight forward to follow. I’m not an Azure expert or admin, so if I can do it, you should not have any problems either.

The initial configuration will ask you to go through the following 5 steps:

Azure will start the deployment of the Domain Services, and you’ll see a notification ‘Deployment in progress’. This can take about an hour to complete! Just be patient and as always, get a coffee… ☕️☕️☕️

In the mean time, have a look in the Azure AD Domain Services blade to see your domain being provisioned. Wait for the ‘running’ status.

When the domain is ready, you need to update DNS settings for the virtual network. Just hit configure to complete this step.

IMPORTANT STEP:

The final step to enable domain services (before we can enable LDAPs) involves rehashing the users passwords!

To authenticate users on the managed domain, Azure Active Directory Domain Services needs password hashes in a format that's suitable for NTLM and Kerberos authentication. Azure AD does not generate or store password hashes in the format that's required for NTLM or Kerberos authentication, until you enable Azure Active Directory Domain Services for your tenant. For obvious security reasons, Azure AD also does not store any password credentials in clear-text form. Therefore, Azure AD does not have a way to automatically generate these NTLM or Kerberos password hashes based on users' existing credentials.

At this point you should have your Azure AD and Domain Services up and running. Next is enabling LDAPs. This is were we’ll need our SSL certificate. Have a look at step 1 and 2 in the Microsoft guide above in case you need help on how to create this certificate.

When you have your cert, go to the secure LDAP tab and enable LDAPs. Make sure to enable LDAPs via Internet but review the warning below. Upload the .pfx , and save the configuration.

Warning:When you enable secure LDAP access over the internet, your domain is susceptible to password brute force attacks over the internet. Therefore, we recommend setting up an NSG to lock down access to required source IP address ranges. See the instructions to lock down LDAPS access to your managed domain over the internet.

To lock down LDAPs access from JamfCloud, have a look at the article here to find the IP addresses which JamfCloud uses outbound. As I’m integrating in JamfCloud (EU) here, I locked it down like this:

That’s it! Now you should be all set to integrate Azure LDAPs into Jamf Pro.